Don’t forget to get your  early entries in for the Made in Germany giveaway, taking place April 9-11 here on NOH.

As I’m sure you noticed, NOH was down for about a week due to an unfortunate hacking incident. Although I could have had the blog back up much more quickly, I elected to take some extra precautions, move my blog to a new server and otherwise just put the screws into the system to try to prevent this from happening again.

If you’ve never been hacked before, be thankful. But just because it has not YET happened to you does not mean it never will. You should always be prepared for the worst to happen, and hopefully you will never need to use your backups. But many things can and do happen in the Internet world, so you can never be too careful.

I’ve put together a few pieces of advice that I picked up while dealing with the hackers, and tips for keeping your WordPress site safer. Nothing will make you impenetrable…but like a locked door on your home, sometimes making it harder for a hacker to break in will just encourage them to move on to someone else’s site where they have an easier time of wreaking havoc.

1. If you wake up one morning and find your blog has been taken over by hackers, remain calm and take a deep breath. There are so many things you probably want to say or do in that instant — but most important is just to relax and look around for your backups. Sometimes your host will be able to fix the problem quickly — but other times, you will have to wipe your server clean and start again to make sure all traces of the hackers are gone and that the back doors are closed. Because hackers like to help other hackers out, so if they get in there and cause trouble, they’ll do their best to leave some random code in there for the next hacker that comes along so they have an easier time getting in. Isn’t that sweet of them?
2. Maintain backups of your WordPress blog; both the database and the php files (especially the wp-content folder)! Do not assume your host will do it for you. There are plugins like WP-DB-Backup that will help you schedule backups of your database and can send them to you via email on a regular basis. But unfortunately I find that plugin to be quite buggy and it works very poorly with at least one other plugin I run on my blog. Which is very depressing because when it works, it is fantastic! I have also used the Automatic WordPress Backup plugin
3. Only use secured FTP methods to transfer files back and forth on your server. Any time you use an unprotected FTP transfer, you are not only making the data you are transferring available to be grabbed, but you are also making your login information vulnerable. So do yourself a favor and just login via SFTP instead. You may be required to have your host enable something like SSH so that this will work.
4. Delete plugins that you’re not using anymore. Just like throwing out the excess paper in your filing cabinet, if you have plugins installed that you only keep deactivated or simply don’t use anymore, do yourself a favor and get them out of your site. Each plugin (especially those that are never updated) makes you site just a little more vulnerable to hackers.
5. When WordPress releases an update, make sure you update to the latest version. In most cases, you will be able to use the automatic installation feature. The reason for doing this is because when they come out with updates, there has probably been some sort of attack on WP blogs that triggers the update. Sometimes a serious hole has been discovered in the framework that leaves you exposed to hackers, so performing these updates is not optional but necessary. Keep your plugins up to date as well.
6. Check for code that may make your blog vulnerable. There is a plugin called Exploit Scanner which will show you potentially malicious code that may have been stuck into your plugins or other code on your site. It can be rather misleading if you don’t really know that much about programming, but if you run it from time to time, and one day notice a lot of code that was not there before, you know you’ve got a problem.  There are also plugins available that will notify you when code is modified on your blog so you can make sure it’s you making the changes.
7. Change your passwords on a regular basis and don’t make them too simple. Try to avoid using actual words and successive numbers. Keeping them all written down somewhere is also risky but if you start some sort of naming convention that you can stick to but modify for each site, you will allow yourself to have more secure passwords that aren’t spread all over the ‘Net. For example, a two-digit number, a symbol, your initials, another symbol or number, and a 3-4 digit code for the program the password goes to (e.g. 20+AB11fir for Firefox — only the last 3 digits would change from site to site)
8. Backup your files on your computer. Not only do you need to backup your website, but you also need backups of the data on your computer should something happen to it. Keeping multiple backups in various formats is the safest bet, such as DVD, external hard drive, USD stick and your PC. I’m currently using Cloudberry Desktop Backup to my Amazon S3 server.
9. Disable user registration if you’re not using that feature of WordPress. The last thing you want to do is give hackers any sort of access to your admin pages. So if there is no reason for people to be able to register on your site, turn off this feature. You’ll find a box to tick under Settings –> General (the box next to “Anyone can register” should be empty.)
10. Get the WordPress Defender ebook from John Hoff if you really want to get in depth about protecting your WordPress sites, and learn how to do things like change your login username, use .htaccess and robots.txt to protect your blog and whole lot more. I’ve had the ecourse for over a year now and John sends out very useful updates and information from time to time — plus, if you have a crisis, he will be there to help you clean it up and can recommend some great people to work with who specialize in recovering hacked blogs. He knows because he’s been there!

What are you doing to protect your blog?